'White hats' on China's internet are growing rapidly

via Flickr Cybersecurity specialist Wang Qi gets more than a little irritated at how Chinese society often views IT geeks like himself - as socially inept and isolated guys who dress like penniless slobs.

"In fact, some think we don't deserve to have a decent position in society," says a testy Wang, 35, an established "white hat" - a hacker who identifies weaknesses in internet security with the aim to improve it.

It's perhaps understandable for Wang to have a chip on his shoulder - his expertise is fast becoming one of the most important jobs in the modern world. A former senior security specialist at Microsoft China, Wang has set up his own cybersecurity venture, Keen Team, and gained an internal reputation in the world of white hats.

"The demand for security protection from businesses is rising rapidly, thanks to non-stop advances of the internet technology," says Wang.

Set up in 2011, his Shanghai-based internet security company has now become an adviser for technology giants including Apple and Huawei.

Hackers are getting bigger, bolder and faster as digital technology is integrated more deeply into everyday life, according to the latest report by Symantec. Cyberattackers are infiltrating networks and hijacking the infrastructure of companies and turning it against them, while extorting end-users through their smartphones and social media to make some quick cash.

In China, the non-profit National Computer Network Emergency Response Technical Team said the number of data leaks recorded had tripled since 2013 to 9,068 instances in 2014. As businesses try to fend off the rise in cyberattacks, it is becoming more lucrative to join the country's burgeoning cybersecurity industry.

That may explain the rapid growth in the number of white hats in China's internet landscape over the past three years. A report published by Chinese internet security company Qihoo 360 said numbers have risen rapidly in recent years.

REUTERS On the Qihoo platform alone, the number of white hat hackers registered to help businesses spot vulnerabilities within their systems jumped from 2,490 in 2014 to 13,812 this year. Most (63.8 per cent) were born in the 1990s, while those born in the 1980s make up 34.4 per cent, the Qihoo report said. Of those registered last year, only four (less than 0.2 per cent) were women.

But, as in many other segments of digital business, cybersecurity companies find it tough to retain talent.

"Brain drain is a chronic problem in this emerging community of white hat hackers," Wang says. "The most talented can be easily enticed to a well-established technology company, so we try to keep people engaged by organising more off-line activities."

Last year, for instance, his company co-organised GeekPwn, a mainland version of international security geek contest Pwn2Own, to attract talent.

Wang, who holds a master's in information technology from Shanghai Jiao Tong University, made an impression at the Beijing event by using a smartphone to gain control of a Tesla electric car. He and his team were able to do so after spending 100 days figuring out the vulnerabilities of the vehicle.

Tesla Keen Team has started to make a name for itself at Pwn2Own, which has been held since 2007 at the CanSecWest computer security conference in Canada. With cash prizes from companies such as Google and Apple as rewards, contestants try to reveal unknown weaknesses in widely used software and smart devices and their findings help gauge progress in improving security.

At the Mobile Pwn2Own contest held in Tokyo in 2013, Keen Team participants managed to break into Apple's web browser, Safari, within 30 seconds, winning themselves US$40,000. Keen developers claimed the number of security risks they found in iOS was more than double that disclosed by Apple.

At the event in Canada last year, Keen Team collected US$140,000 in prize money from two other exploits.

Life is undoubtedly better these days as a young white hat in China. Even without a job offer from a technology major, it's possible to earn enough from competitions and advising companies to live comfortably.

"An income of about 20,000 yuan [HK$25,000] a month is the average, so having a relatively affluent lifestyle is not a real problem," says Luo Qinglan, founder and CEO of Moule, another Shanghai-based cyberspace security start-up.

Patrick Lux/Getty Images "What really makes young hackers fixate on the job is passion," says Lou, 27, who leads a team of more than 30 white hats in his company.

"All are cyberspace security fanatics, and what I am doing is merely setting up a fair and liberal workshop where we can get together to enjoy research on information technology."

As for the young white hats in China, typing away at a keyboard and sleeping on a couch for days to concentrate on breaking one security loophole is nothing unusual. It's estimated that it takes 78 days on average to uncover a single vulnerability.

Now gearing up for a second round of fundraising, Moule has collaborated with dozens of public agencies and companies, particularly in the booming e-commerce sector. Its partners include ventures such as Yihaodian, a major online grocery shop, and Dianping, which operates a Yelp-like user review website where customers can purchase dining coupons.

"Living in the bubble of online finance and e-commerce, people rarely realise that some of our most important personal and financial information are placed up the cloud, a network of remote servers used to store, manage, and process data," says Luo, who studied computer science at Donghua University in Shanghai.

Stringer Shanghai/Reuters

About 26 per cent of security vulnerabilities are found on e-commerce websites, according to the report released by Qihoo 360 earlier this year.

But while IT geeks find it thrilling to make breakthroughs mining vulnerabilities, raising awareness in the business community about the need for cyberspace security remains a challenge.

Many business executives regard investment on security upgrades as a huge cost, rather than a pre-emptive measure to hedge against cybercrimes, according to a 2014 global survey by consultancy Ernst & Young.

"Cybersecurity is not seen as an added-value activity and is viewed as a cost which needs to be limited as much as possible," the report said. Less than 20 per cent of organisations have real-time insight on cyberspace risks, and 63 per cent consider budget constraints as the main obstacle to investing more on security upgrades.

Meanwhile, the cyberattacks keep coming. "Apart from those people who hack into websites for sport, many malicious hackers target organisations for money," Luo says.

Wang says: "Even though the cost of upgrading security system is rising, it's merely heading to its normal level given the ever more pervasive cyberspace attacks and the fact that its value was much more underestimated in the past." More people are coming around to this conclusion, however - the recent GeekPwn contest in Beijing awarded three million yuan in cash prizes.